Executive Summary
Whilst very convenient and critical enablers of research at this time, all cloud-based online communication platforms carry inherent risks, and should only be used where the risk to participants is considered ‘low’ or ‘moderate’ should data inadvertently be disclosed. Consenting processes should make the potential risks to participants clear, and offer alternative methods for data collection should participants so wish.
Detail
There have been a number of articles in the last few days about the ‘Zoom’ video-conferencing platform and perceived privacy / security issues, and this has led to questions about its suitability for use. Current circumstances have introduced drastic changes to the way that we live and work, and many of these changes have been implemented very quickly. One result of the vast majority of the country suddenly transitioning to remote working is that platforms which facilitate this, such as Zoom, have seen sudden uptake in their services, and have suddenly garnered much more attention than was present a few days ago.
In Zoom’s case, this has resulted in a level of scrutiny that has raised some questions which have captured the interest of the media. Certainly, some of the questions, and answers, that have been raised are troubling, but it would be a mistake to think that Zoom is the only platform to which many might apply. A quick scan of the media reveals similar questions that have been asked about many other platforms (including Facetime, WhatsApp, Skype, MS Teams, Jitsi to name a few about which we have been asked in the last few days), and many of the answers are equally troubling.
The reality is that it is difficult to guarantee the security of any online communication platform, and looking for phrases like ‘encryption’ in terms of service can be misleading because many services offer partial, but not complete encryption of traffic, and the way that this is described can be very confusing (or misleading). Language around the storing of logs of communications can also be very confusing. Researchers should also be aware that most platforms will allow any participant to capture or record the contents of a communication in real time, which potentially introduces a further risk. This is of particular concern for focus groups conducted via a video-conferencing platform as a participant could record the information being provided by other participants.
In an effort to provide some clarity for the research community, the McMaster Research Ethics Board, IT Security and the Office of the VP Research offer the following guidance (which will be updated as more information becomes available):
At the time of writing, McMaster University has institutional subscriptions for MS Teams and Zoom. Some faculties have subscriptions with other providers such as Vidyo. Institutional subscriptions offer certain protections to members of the McMaster community that are not present with services for which there is no institutional subscription. Therefore at this time, we recommend the use of MS Teams and Zoom for research activities which involve remote video communications.
Each service offers some advantages and disadvantages, and ultimately the choice largely comes down to preference. It is important to note that none of these platforms (nor any other online meeting platform) should be considered ‘fully secure’. Their use would be considered appropriate for low and medium risk studies, where the risk to participants should the contents of interviews be released is considered ‘low’ or ‘moderate’. However, the use of any video-conferencing platform for any data collection where the risk to participants should the contents of any interviews be released is considered ‘high’ is not appropriate. Such data should be collected via face-to-face interviews or by an encrypted voice calling or messaging service such as ‘Signal’ which has clear policies about the storing of logs of communication metadata.
Consent forms should include language that makes it clear what platforms are being used, and also that no guarantee of privacy of data can be made, so the risks of participation are clear. Example language might be “This study will use the X platform to collect data, which is an externally hosted cloud-based service. A link to their privacy policy is available here (LINK). Please note that whilst this service is approved for collecting data in this study by the McMaster Research Ethics Board, there is a small risk with any platform such as this of data that is collected on external servers falling outside the control of the research team. If you are concerned about this, we would be happy to make alternative arrangements for you to participate, perhaps via telephone. Please talk to the researcher if you have any concerns.” Note: Including the link to the privacy policy is not necessary when using one of the McMaster licensed videoconferencing platforms (MS Teams or Zoom) for low risk research. Additionally, only include the sentence on alternative arrangements if they are possible in your study. Consent forms should also include language that participants agree not to make any unauthorized recordings of the content of a meeting / data collection session, and in the case of focus groups remind participants that researchers cannot guarantee that all participants will refrain from recording the session.
The consent form should specify what is being recorded (audio only or both audio and video). Unless seeing the participant(s) via video is essential to the data collection methodology, the participant(s) should be given the option to participate in the meetings by audio only. When making recordings, it is important that they are saved to a local computer rather than to the cloud-based service wherever possible. Where recordings must be saved to a cloud, they should be downloaded to local storage and deleted from the cloud immediately.
Any meeting details should not be publicly posted, and should limit access to authorized participants, perhaps through the use of a meeting password or by requiring authenticated access.
More information regarding Zoom and Microsoft Teams:
Using Zoom for Research Involving Human Participants
Office of the AVP & CTO- Zoom video conferencing: Best practices for privacy and security
Licensing
Zoom licenses are now available to all students, staff and faculties. Please visit https://mcmaster.zoom.us/ and sign in with your MacID@mcmaster.ca and your MacID password to activate your zoom license.
Key Functionality
As with many collaboration platforms, Zoom offers HD Video and Audio, easy sharing of content, a digital whiteboard, accessibility functions and the ability to record meetings. Meetings can include up to 100 participants, and can last up to 24 hours.
Key advantages of using the zoom platform are the ability for people to join meetings using a telephone rather than needing a computer, the digital whiteboard, the ability to use break out rooms in a meeting, and the ability for people external to McMaster to join meetings easily. Zoom claims to be compliant with PIPEDA / PHIPA, and McMaster accounts only route traffic through Canadian data centres. However due to other security concerns (below), it is not considered an appropriate platform for sensitive data.
Key Concerns
Zoom has had many articles written about its services recently. Many of these have focused on concerns over security. Whilst it should be noted that no video conferencing platform should be treated as ‘highly secure’, zoom does seem to have some special challenges in this area. Nonetheless, the ability to join meetings using a telephone, the high quality of video and audio, and the ease at which people external to McMaster can join meetings makes it a very attractive option where concerns around privacy and security are not a key consideration. It is also worth noting that whilst Zoom is currently receiving a lot of bad press, similar concerns have been raised about many other platforms over the last few months, and Zoom is responding to many of the concerns in a timely manner.
Ultimately, it is up to individual researchers to weigh the benefits and risks and determine whether it is an appropriate platform for a study. MREB and HiREB staff are happy to provide guidance.
For reference, the key concerns that have been highlighted about Zoom at the time of writing are:
Encryption: Whilst Zoom does talk about having 256-bit encryption, there have been questions raised about the way in which this encryption has been implemented, and it is worth noting that information is not encrypted on the Zoom servers themselves.
Storage: Recent reports suggest that in certain situations, recordings made by Zoom can be stored on a publicly accessibly cloud without the knowledge of meeting hosts.
“Zoom bombings”: If security settings for meetings are not properly configured, it is possible for uninvited guests to join meetings. In some situations, these guests have joined meetings with the intent of being disruptive, which could be very troubling for research participants or students.
Configuring a Zoom meeting
When scheduling a Zoom meeting, the following options are recommended:
Meeting ID: Generate Automatically
Meeting Password: Require a meeting password
Video: Both host and participant video should be set to ‘off’ initially
Audio: Both (unless data collection requires the use of video, participants should be given the option to join by telephone only). Select a Canadian dial in number to minimize accidental costs to participants.
Select the following ‘Meeting Options’
Mute participants upon entry (to protect the privacy of particpants)
Enable waiting room (to prevent uninvited guests)
Publicizing a Zoom meeting
When publicizing a Zoom meeting, to prevent unwanted guests and protect against ‘Zoom bombings’ meeting hosts should not publicize meeting details more broadly than is necessary. Where it is possible to simply email meeting details to participants, this is the recommended method. Where meeting details must be publicly posted, meeting hosts are advised to post password information separately from other meeting details, and are cautioned that Zoom includes (hashed) passwords in the URLs that it generates by default, which should be removed prior to posting.
Recording a Zoom meeting
Meeting hosts should be aware that with enough technical awareness, any participant in a video conferencing meeting (using any platform) has the ability to record the meeting without the hosts knowledge. Consenting processes should make this clear to all participants.
From the web interface, hosts should log into their account and then click on ‘my account’, ‘settings’, and click on the ‘recording’ tab. The following options should be set:
Local recording should be ‘on’
Hosts can give participants the permission to record locally should be ‘off’
Cloud recording should be ‘off’
Automatic recording should be ‘off’
IP Address Access Control should be ‘off’
Require password to access shared cloud recordings should be ‘on’
Auto delete cloud recordings after days should be set to ‘on’ with the time range set to no more than 7 days. This is just to ensure any cached recording files are deleted since you are going to be saving recordings locally.
Recording disclaimer should be set to ‘on’.
Ask participants for consent when a recording starts should be set to ‘on’.
Ask host to confirm before starting a recording should be set to ‘on’.
When recording a meeting, which is initiated from within the meeting client, select ‘Record on this Computer’ (recordings should not be stored on the Zoom cloud servers). Meeting hosts should be aware that even though you have selected a local recording, some caching of data may be done at the server to allow for the local recording. All participants should be aware that they are being recorded, and should have given their consent for this.
Using MS Teams for Research Involving Human Participants
Licensing
McMaster currently has an institutional license for MS Teams. Licenses are available to all faculty, staff and students. The platform can be accessed by visiting https://teams.microsoft.com and logging in with your MacID. Clients can also download Microsoft Teams.
Key Functionality
As with many collaboration platforms, MS Teams offers HD Video and Audio, easy sharing of content, accessibility functions and the ability to record meetings. Meetings can include up to 250 participants, and can last up to 8 hours.
Key advantages of using the MS Teams platform are the integration with MS Office products, the platforms use of a Canadian cloud-based infrastructure, the comprehensive use of encryption for data both in transit and at rest, and a highly limited ability for people external to McMaster to join meetings easily, which offers greater security for studies in which participants are all within McMaster, but can make it difficult to use for studies which include participants who are external to McMaster.
Key Concerns
Using MS Teams requires a MacID which makes it hard to use with participants external to McMaster.
It is not possible to join a McMaster MS Teams meeting by telephone at the time of writing.
Recordings of meetings are automatically stored to the Microsoft cloud.
Configuring a MS Teams meeting
There are no options to set when scheduling an MS Teams meeting (which must be done from within a recent Outlook client).
Publicizing an MS Teams meeting
Since participants must be authenticated to join a meeting, MS Teams meetings are not subject to issues such as ‘Zoom bombings’. However, since meetings can only be joined by authenticated users, this makes the platform challenging to use for studies in which there are external participants.
Recording an MS Teams meeting
Meeting hosts should be aware that with enough technical awareness, any participant in a video conferencing meeting (using any platform) has the ability to record the meeting without the hosts knowledge. Consenting processes should make this clear to all participants.
MS Teams meeting recordings are all stored on the Microsoft Cloud and must be manually downloaded and deleted from the cloud. All participants should be aware that they are being recorded, and should have given their consent for this.
If you are applying to MREB and have questions about using online communication platforms for human participant research, or would like further guidance on the MREB review process, please contact the MREB Ethics Office (mreb@mcmaster.ca).
If you are applying to the HiREB, you may contact the eREBhelpdesk@hhsc.ca.